php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50334 crypt ignores sha512 prefix
Submitted: 2009-11-30 12:48 UTC Modified: 2009-12-09 00:48 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: hanno at hboeck dot de Assigned: pajoye
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.3.1 OS: Linux
Private report: No CVE-ID:
 [2009-11-30 12:48 UTC] hanno at hboeck dot de
Description:
------------
PHP has the crypt()-function which can create salted-hashes (e.g. usable for shadow-passwords). Although it's not documented, in PHP 5.2 it was possible to pass the prefix for sha512 like in the corresponding glibc-function.

Example:
echo crypt('foo','$6$$bar$');
gives
$6$$QMXjqd7rHQZPQ1yHsXkQqC1FBzDiVfTHXL.LaeDAeVV.IzMaV9VU4MQ8kPuZa2SOP1A0RPm772EaFYjpEJtdu.

Now the same code in PHP 5.3.1 gives
$6A86JNndVTdM
(which is basically just crypt ignoring the $6-prefix for the salt)

I assume may have something to do with (cited from crypt-documentation):
"Note: As of PHP 5.3.0, PHP contains its own implementation and will use that if the system lacks of support for one or more of the algorithms. "

Reproduce code:
---------------
echo crypt('foo','$6$$bar$');

Expected result:
----------------
$6$$QMXjqd7rHQZPQ1yHsXkQqC1FBzDiVfTHXL.LaeDAeVV.IzMaV9VU4MQ8kPuZa2SOP1A0RPm772EaFYjpEJtdu.

Actual result:
--------------
$6A86JNndVTdM

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-30 14:18 UTC] pajoye@php.net
Which linux distribution do you use exactly (name, version)?
 [2009-11-30 14:29 UTC] jani@php.net
Assigned to Pierre who broke this.
 [2009-11-30 14:31 UTC] jani@php.net
Pierre, this is caused by bad idea of requiring ALL of blowfish, des, ext des and md5. You should provide the fallback only for those that aren't found. 
 [2009-11-30 14:33 UTC] pajoye@php.net
Still need the answer to my question.
 [2009-11-30 14:42 UTC] hanno at hboeck dot de
I'm using Gentoo Linux. It has no "official" php 5.3 package, I'm using a modified own ebuild/eclass (to allow parallel installation of 5.2/5.3), if that matters you can grab it here:
https://svn.schokokeks.org/repos/overlay/trunk/
 [2009-11-30 14:45 UTC] pajoye@php.net
Hi,

thanks, it was only about having a libc with sha512 at hand to do the tests :)

Thanks,
 [2009-12-09 00:20 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291899
Log: - #50334, crypt ignores sha512 and add support for sha256/512 to php's crypt [DOC]
 [2009-12-09 00:48 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2009-12-09 01:43 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291904
Log: - #50334, add CRYPT_SHA* constants and tests [DOC]
 [2009-12-09 10:39 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291913
Log: - #50334, add missing file
 [2009-12-09 10:39 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291914
Log: - #50334, fix trunk build
 [2009-12-09 17:40 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291924
Log: - #50334, fix build for platform without endian.h (like solaris)
 [2009-12-10 14:08 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291951
Log: - #50334, add define on win as well
 [2009-12-11 15:57 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291993
Log: - #50334, use our own implementations of stpncpy and mempcy, avoiding weird behaviors on certain platforms like solaris
 [2009-12-11 16:07 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=291994
Log: - #50334, add sha support for VC6 too, not merged in trunk as we don't support vc6 there
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 20:01:57 2014 UTC